From 9f54b01218bde8ed60177d1b210cb3ccf625237b Mon Sep 17 00:00:00 2001 From: Djordje Lukic <112394060+djlukic@users.noreply.github.com> Date: Sat, 14 Dec 2024 21:55:02 +0100 Subject: [PATCH] Merge PR #5122 from @djlukic - Fix `bXOR Operator Usage In PowerShell Command Line - PowerShell Classic` fix: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Update the logic to remove unrelated keywords and reduce unwanted matches. --------- Co-authored-by: Djordje Lukic Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali --- .../posh_pc_bxor_operator_usage.yml | 29 +++++++++++++++++++ .../posh_pc_xor_commandline.yml | 27 ----------------- 2 files changed, 29 insertions(+), 27 deletions(-) create mode 100644 rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml delete mode 100644 rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml diff --git a/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml b/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml new file mode 100644 index 00000000000..fabaf99bf5f --- /dev/null +++ b/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml @@ -0,0 +1,29 @@ +title: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic +id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 +status: test +description: | + Detects powershell execution with that make use of to the bxor (Bitwise XOR). + Attackers might use as an alternative obfuscation method to Base64 encoded commands. + Investigate the CommandLine and process tree to determine if the activity is malicious. +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1 +author: Teymur Kheirkhabarov, Harish Segar +date: 2020-06-29 +modified: 2024-12-11 +tags: + - attack.execution + - attack.t1059.001 + - detection.threat-hunting +logsource: + product: windows + category: ps_classic_start +detection: + selection: + Data|contains|all: + - 'HostName=ConsoleHost' + - ' -bxor ' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml deleted file mode 100644 index c54a451470b..00000000000 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious XOR Encoded PowerShell Command Line - PowerShell -id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 -status: test -description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. -references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 -author: Teymur Kheirkhabarov, Harish Segar (rule) -date: 2020-06-29 -modified: 2023-10-27 -tags: - - attack.execution - - attack.t1059.001 -logsource: - product: windows - category: ps_classic_start -detection: - selection: - Data|contains: 'HostName=ConsoleHost' - filter: - Data|contains: - - 'bxor' - - 'char' - - 'join' - condition: selection and filter -falsepositives: - - Unknown -level: medium